18
votes

My company has a setup as follows:

  • subdomain1.domain1.com
  • subdomain2.domain1.com
  • subdomain3.domain1.com
  • subdomain4.domain1.com
  • subdomain5.domain1.com
  • subdomain6.domain1.com

  • subdomain1.domain2.com

  • subdomain2.domain2.com
  • subdomain3.domain2.com
  • subdomain4.domain2.com
  • subdomain5.domain2.com
  • subdomain6.domain2.com

On each site, bearing in mind there can be a hundred sites per subdomain, users can log in. We, as developers, have to test frontends across several browsers, but some work may only be required on a section once logged in.

I have written a userscript which enables us to save a username and password (and other details which I cannot mention because of confidentiality). The script checks to see if the user account exists by filling in the login form and clicking the submit button. If not, it registers for us - thus automating the registration process.

Sharing cookies between subdomains on the same domain is easy. If I am on subdomain1.domain1.com I can save a cookie which can be retrieved by subdomain2.domain1.com. However, I would also like to save these for domain2. I do not appear to be able to get this to work.

I can see two solutions from here - either:

1) attach an iFrame using the userscript, which loads a site on domain2. This then uses the querystring to decide what to set to what, or;

2) use a form with method="POST", and simply post to a file on each domain.

Either way will be resource intensive, particularly if the cookies are updated each time a cookie changes. We also have URL masking in place. So we'd also have to take into account sites like abc.clientdomain1.com, abc.clientdomain2.com etc.

Does anyone know of an easier way to do achieve this?

5

5 Answers

13
votes

Create a common domain specifically for your cookies and use it as a getter/setter API.

http://cookie.domain.com/set/domain1
http://cookie.domain.com/get/domain1

http://cookie.domain.com/set/domain2
http://cookie.domain.com/get/domain2

and so on.

13
votes

This answer is a slightly different version of my answer on the question "Set cookie on multiple domains with PHP or JavaScript".

Do what Google is doing. Create a PHP (or any other server language file) file that sets the cookie on all 3 domains. Then on the domain where the login is going to be set, create a HTML file that would load the PHP file that sets cookie on the other 2 domains. Example:

<html>
 <head></head>
 <body>
 Please wait..........
 <img src="http://domain2.com/setcookie.php?user=encryptedusername"/>
 <img src="http://domain3.com/setcookie.php?user=encryptedusername"/>
 </body>
</html>

Then add an onload callback on body tag. The document will only load when the images completely load that is when cookies are set on the other 2 domains. Onload Callback :

<head>
 <script>
 function loadComplete(){
  window.location="http://domain1.com";//URL of domain1
 }
 </script>
</head>
<body onload="loadComplete()">

Now cookies are set on the three domains.

Source

3
votes

Include a script tag from domain2 that sets the cookie using a username and hashed password:

<script type="text/javascript" src="http://domain2.com/cookie_login_page.php?username=johnsmith&hash=1614aasdfgh213g"></script>

You can then check to ensure that the hashed passwords match (one way).

Key points:

  1. Make the hashes in the URL time sensitive by appending a timestamp that will be agreed upon by the server (for example, 16:00, 16:10, etc) before hashing the string. If you're using HTTPS this is less of an issue.

  2. If your passwords are already hashed, it wont hurt to double-hash the passwords assuming the salts are the same on both servers.

Sample PHP code:

src:

<script type="text/javascript" src="/cookie_login_page.php?username=<?php echo $username; ?>&hash=<?php echo md5($password . date('H')); ?>"></script>

dest:

<?php 

$password = get_password($_GET['username']);
if($_GET['hash'] == md5($password . date('H')) {
    // set the cookie
}
2
votes

For security reasons, sites cannot set or retrieve cookies on other domains. Scripting the form submit via javascript is likely the easiest to do, and will still store the cooikes you need in the browser cache.

0
votes

As stated by others, you can't access cookies across domains. However, if you have control of the server code, you can return information in the body, and allow your client to read and store that information per server.

In my case, I'm connecting a single client to multiple servers, maintaining an authenticated connection to each one. I need to know when the session for each one is going to expire, so the authentication service returns the cookie, plus it modifies the body of the response to send the relevant data back, so that I can read that data and set my own cookies.

By doing this, I can manually track what I need. Won't work in every scenario, but might for some like me.